SlideShare una empresa de Scribd logo

Greatest IT Security Risks of 2013: Annual State of the Endpoint Report

Descargar como PPTX, PDF
Lumension
Lumension

What are IT pros most concerned about heading into 2013? The annual State of the Endpoint Report sponsored by Lumension and conducted by Ponemon Institute reveals APTs and mobile devices pose the biggest security threat to organizations in the coming year. Unfortunately, respondents also demonstrated a disconnect between their identified risk and planned security spend as well as a significant need for improved internal collaboration. This presentation by Larry Ponemon of the Ponemon Institute and Paul Zimski of Lumension reveals statistics on growing insecurity, IT’s perceived areas of greatest risk for 2013 as well as tactical suggestions for how to improve your endpoint security. Specifically, you will learn: •IT perspective on today’s Top 3 risks; •Disconnect between perceived risk and corresponding strategies to combat those threats; •Tips and tricks on how to best communicate today’s threats and subsequent needed responses up the management chain

1 de 42
2013 State of the Endpoint Presentation by Dr. Larry Ponemon December 5, 2012
About Ponemon Institute • Ponemon Institute conducts independent research on cyber security, data protection and privacy issues. • Since our founding 11+ years ago our mission has remained constant, which is to enable organizations in both the private and public sectors to have a clearer understanding of the practices, enabling technologies and potential threats that will affect the security, reliability and integrity of information assets and IT systems. • Ponemon Institute research informs organizations on how to improve upon their data protection initiatives and enhance their brand and reputation as a trusted enterprise. • In addition to research, Ponemon Institute offers independent assessment and strategic advisory services on privacy and data protection issues. The Institute also conducts workshops and training programs. • The Institute is frequently engaged by leading companies to assess their privacy and data protection activities in accordance with generally accepted standards and practices on a global basis. • The Institute also performs customized benchmark studies to help organizations identify inherent risk areas and gaps that might otherwise trigger regulatory action. 12/4/2012 Ponemon Institute: Private & Confidential Information 2
Introduction • Since 2010, Ponemon Institute and Lumension have tracked endpoint risk in organizations, the resources to address the risk and the technologies deployed to manage threats. • This study reveals that the state of endpoint risk is not improving. One of the top concerns is the proliferation of personally owned mobile devices in the workplace such as smart phones and iPads. • Malware attacks are increasing and are having a significant impact on IT operating expenses. Advanced persistent threats and hactivism pose the biggest headache to IT security pros. 12/4/2012 Ponemon Institute: Private & Confidential Information 3
Methods A random sampling frame of 17,744 IT and IT security practitioners located in all regions of the United States were selected as participants to this survey. As shown below, 923 respondents completed the survey. Screening removed 178 surveys and an additional 74 surveys that failed reliability checks were removed. The final sample was 671 surveys (or a 3.8 percent response rate). Sample response FY 2012 FY 2011 FY 2010 Total sampling frame 17,744 18,988 11,890 Total returns 923 911 782 Rejected surveys 74 80 65 Screened surveys 178 143 153 Final sample 671 688 564 Response Rate 3.8% 3.6% 4.7% 12/4/2012 Ponemon Institute: Private & Confidential Information 4
Distribution of respondents according to primary industry classification 2% 2% 2% 3% Financial Services 3% 20% Health & pharmaceuticals 3% Public Sector 4% Retailing Services 5% Technology & software Hospitality Industrial 5% 12% Education & research Energy 5% Consumer products Communications Entertainment & media 7% 10% Agriculture Defense 8% 9% Transportation 12/4/2012 Ponemon Institute: Private & Confidential Information 5
What organizational level best describes your current position? 3% 3% 7% 19% Director Manager Supervisor Technician 23% Staff Contractor 26% Other 19% 12/4/2012 Ponemon Institute: Private & Confidential Information 6
The primary person you or the IT security leader reports to within the organization 3% 1% 4% 6% Chief Information Officer 9% Chief Information Security Officer Chief Risk Officer Compliance Officer 54% Chief Security Officer 23% General Counsel Chief Financial Officer 12/4/2012 Ponemon Institute: Private & Confidential Information 7
Worldwide headcount 4% 7% 19% 16% Less than 500 people 500 to 1,000 people 1,001 to 5,000 people 5,001 to 25,000 people 25,001 to 75,000 people 21% More than 75,000 people 33% 12/4/2012 Ponemon Institute: Private & Confidential Information 8
Results
The endpoint threat landscape
IT security risks considered to be on the rise Three choices permitted in 2010 and 5 choices permitted in 2011 and 2012 73% Mobile devices 48% 9% 67% Across 3rd party applications 56% 45% 53% Mobile/remote employees 49% 44% 45% Our PC desktop/laptop 41% 44% 44% Negligent insider risk * 43% 41% Cloud computing infrastructure & providers 43% 18% 39% Removable media and/or media (CDs, DVDs) 42% 10% 0% 10% 20% 30% 40% 50% 60% 70% 80% * This choice was not available for all fiscal years FY 2012 FY 2011 FY 2010 12/4/2012 Ponemon Institute: Private & Confidential Information 11
IT security risks believed to be decreasing or staying the same Three choices permitted in 2010 and 5 choices permitted in 2011 and 2012 36% Lack of organizational alignment * 39% 25% Lack of system connectivity/visibility * 29% 19% Virtual computing environments 28% 20% 19% Our server environment 29% 32% 15% Malicious insider risk * 16% 10% Network infrastructure environment 14% 11% 8% Within operating systems 10% 11% 6% Our data centers 12% 14% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% * This choice was not available for all fiscal years FY 2012 FY 2011 FY 2010 12/4/2012 Ponemon Institute: Private & Confidential Information 12
Is your IT network more secure now than it was a year ago? 50% 46% 45% 41% 40% 36% 36% 35% 33% 34% 30% 28% 25% 25% 21% 20% 15% 10% 5% 0% FY 2012 FY 2011 FY 2010 Yes No Unsure 12/4/2012 Ponemon Institute: Private & Confidential Information 13
IT security risks of most concern since 2010 More than three choices permitted in 2010 and 3 choices permitted in 2011 and 2012 47% Increased use of mobile platforms * 36% 36% Advanced persistent threats 24% 24% 22% Intrusions and data loss within virtual 23% environments 13% 0% 10% 20% 30% 40% 50% * This choice was not available for all fiscal years FY 2012 FY 2011 FY 2010 12/4/2012 Ponemon Institute: Private & Confidential Information 14
IT security risks that have declined or stayed the same More than three choices permitted in 2010 and 3 choices permitted in 2011 and 2012 15% Negligent insider risk 28% 50% 30% Growing volume of malware 29% 61% 28% Use of insecure cloud computing resources 31% 49% 30% Insufficient budget resources 32% 47% 31% Increasingly sophisticated & targeted cyber attackers 26% 40% 12% Malicious insider risk 11% 19% 6% Inability to measure policy compliance * 12% Insufficient collaboration among IT & business operations 13% 16% * Lack of integration between endpoint operations & 18% 17% security technologies 20% 12% Lack of an organizational wide security strategy * 13% 0% 20% 40% 60% 80% * This choice was not available for all fiscal years FY 2012 FY 2011 FY 2010* 12/4/2012 Ponemon Institute: Private & Confidential Information 15
Mobility is an IT security headache
Mobile devices pose a significant security risk Strongly agree and agree response combined 90% 80% 80% 74% 70% 60% 50% 40% 30% 20% 10% 0% FY 2012 FY 2011 12/4/2012 Ponemon Institute: Private & Confidential Information 17
Technologies expected to increase in the next 12 to 24 months Substantial increase and increase response combined 75% Mobile devices / smart phones 70% 63% Use of 3rd party cloud computing infrastructure 56% 61% Virtualized environments 52% 53% Use of internal cloud computing infrastructure 35% Security event and incident management * 45% Social media / Web 2.0 * 72% 0% 10% 20% 30% 40% 50% 60% 70% 80% This choice was not available for FY 2012 FY 2012 FY 2011 12/4/2012 Ponemon Institute: Private & Confidential Information 18
Important mobile device management features Three choices permitted 70% Provisioning and access policy management 62% 65% Virus and malware detection or prevention 55% 44% Encryption and other data loss technologies 49% 43% Asset tracking 47% 39% Anti-theft features 42% 38% Remote wipe capability 41% 1% Other 3% 0% 10% 20% 30% 40% 50% 60% 70% 80% FY 2012 FY 2011 12/4/2012 Ponemon Institute: Private & Confidential Information 19
Personal mobile device use in the workplace 40% 35% 34% 30% 29% 28% 25% 23% 20% 20% 18% 16% 15% 13% 10% 7% 7% 5% 3% 2% 0% None 1 to 25% 26 to 50% 51 to 75% More than 75% Cannot determine FY 2012 FY 2011 12/4/2012 Ponemon Institute: Private & Confidential Information 20
Security policy for employee owned devices 50% 46% 45% 40% 39% 35% 30% 29% 25% 21% 21% 20% 19% 15% 13% 12% 10% 5% 0% No No, but we plan to Yes, we secure them Yes, we use stricter similar to corporate devices standards than we do for corporate devices FY 2012 FY 2011 12/4/2012 Ponemon Institute: Private & Confidential Information 21
Most vulnerable third-party applications Three choices permitted 55% Google Docs 47% 46% 55% Adobe 50% 54% 44% Microsoft OS/applications 49% 57% 40% General 3rd party apps outside of Microsoft 46% 58% 30% Apple/Mac OS 24% 15% 28% Apple apps 20% 14% 18% VMware 20% 17% 15% Oracle applications 22% 10% 11% WinZip 16% 19% 3% Mozilla Firefox 6% 2% 0% Other 1% 4% 0% 10% 20% 30% 40% 50% 60% 70% FY 2012 FY 2011 FY 2010 12/4/2012 Ponemon Institute: Private & Confidential Information 22
The malware threat
Monthly malware attempts or incidents 50% 45% 43% 40% 35% 35% 35% 32% 30% 27% 25% 23% 21% 20% 20% 15% 13% 11% 11% 10% 9% 9% 6% 5% 2% 3% 0% Less than 5 5 to 10 11 to 25 26 to 50 More than 50 Not sure FY 2012 FY 2011 FY 2010 12/4/2012 Ponemon Institute: Private & Confidential Information 24
Changes in malware incidents over the past year 40% 37% 35% 31% 30% 26% 25% 25% 25% 22% 22% 21% 20% 18% 17% 15% 15% 14% 10% 9% 8% 8% 5% 0% Yes, major increase Yes, but only slight increase No, they stayed the same No, they have decreased Not sure FY 2012 FY 2011 FY 2010 12/4/2012 Ponemon Institute: Private & Confidential Information 25
Most frequent and annoying incidents More than one choice permitted General malware 86% 2% Web-borne malware attacks 79% 3% Rootkits 65% 4% Botnet attacks 55% 8% Advanced persistent threats / Targeted attacks* 54% 25% Spyware 45% 0% Clickjacking 43% 7% Hacktivism 41% 15% Zero day attacks 31% 13% SQL injection 29% 12% Exploit existing software vulnerability < 3 months 28% 5% Exploitexisting software vulnerability > 3 months 26% 6% Other 5% 0% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% *Termed Targeted Attacks in the 2011 survey Which incidents are you seeing frequently in your organization’s IT networks? Which one incident represents your biggest headache? 12/4/2012 Ponemon Institute: Private & Confidential Information 26
IT operating costs increase due to malware 50% 45% 43% 41% 40% 40% 35% 32% 30% 28% 29% 25% 21% 22% 20% 15% 14% 14% 10% 8% 8% 5% 0% Very significant Significant Some significance None FY 2012 FY 2011 FY 2010 12/4/2012 Ponemon Institute: Private & Confidential Information 27
Barriers to achieving optimal security
IT security budget changes from last year 60% 56% 50% 48% 40% 29% 30% 25% 20% 12% 11% 10% 9% 10% 0% Increase Stay the same Decrease Unsure FY 2012 FY 2011 12/4/2012 Ponemon Institute: Private & Confidential Information 29
Collaboration between IT operations and IT security 60% 50% 48% 46% 41% 40% 40% 30% 20% 13% 12% 10% 0% Collaboration is excellent Collaboration is adequate, but can Collaboration is poor or non-existent be improved FY 2012 FY 2011 12/4/2012 Ponemon Institute: Private & Confidential Information 30
Admin privileges allowed 45% 41% 40% 40% 35% 30% 25% 20% 19% 15% 10% 5% 0% No Yes, to part of the user environment Yes, to the entire user environment 12/4/2012 Ponemon Institute: Private & Confidential Information 31
Greatest challenges in meeting federal compliance regulations Two choices permitted Lack of resources 75% Increasing audit burden 73% Explaining issues and requirements to management 15% Inconsistent reporting 11% Manual data collection 9% None of the above 12% 0% 10% 20% 30% 40% 50% 60% 70% 80% 12/4/2012 Ponemon Institute: Private & Confidential Information 32
Impact of external compliance requirements on IT security function Two choices permitted More personnel and funding for meeting compliance 56% initiatives More funding for purchasing security technologies 53% Better understanding of organizational IT risk 24% Improved control procedures 20% Requirements to update or create new policies 12% Requirements to update or create new training 10% procedures Formal audits to ensure policy enforcement 9% None of the above 13% 0% 10% 20% 30% 40% 50% 60% 12/4/2012 Ponemon Institute: Private & Confidential Information 33
Current and future technologies
Technologies in use or to be invested in over the next 12 months More than one choice permitted 60% 55% 55% 49% 50% 47% 45% 42% 40% 38% 34% 30% 20% 10% 0% Application control firewall Application Endpoint management and SEIM control/whitelisting security suite Current use of technology Expected increase in use of technology 12/4/2012 Ponemon Institute: Private & Confidential Information 35
Most effective tools for reducing IT risk Fiscal years 2012 and 2011 limited to 5 choices 46% Privilege management * 45% Vulnerability assessment * 55% 70% 40% Security event and incident management * 43% 40% Endpoint management & security suites/platforms 41% 48% 39% Endpoint firewall 43% FY 2012 59% 37% FY 2011 Device control 44% 57% FY 2010 37% Application control firewall 42% 52% 36% Application control/whitelisting 37% 44% 33% Anti-virus & anti-malware 40% 57% 0% 10% 20% 30% 40% 50% 60% 70% 80% * This choice not available for all fiscal years 12/4/2012 Ponemon Institute: Private & Confidential Information 36
Reasons for migrating to Windows 8 Two choices permitted Efficiency and user productivity gains 43% Improvements in security 38% Improvements in speed and performance 37% Stability of the operating system 33% Interoperability issues with other systems 31% Improvements in vendor support 19% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% 12/4/2012 Ponemon Institute: Private & Confidential Information 37
Cloud computing and endpoint security
The existence and enforcement of cloud security policies 50% 45% 45% 40% 41% 40% 36% 35% 30% 25% 24% 20% 15% 14% 10% 5% 0% Yes No Unsure Does your organization have a centralized cloud security policy? Do you enforce employees’ use of private clouds? 12/4/2012 Ponemon Institute: Private & Confidential Information 39
Conclusion & Recommendations • Create acceptable use policies for personally owned devices in the workplace. • Conduct risk assessments and consider the use of an integrated endpoint security suite that includes vulnerability assessment, device control, anti- virus and anti-malware. • Establish governance practices for privileged users at the device level to define acceptable use of mobile, BYOD and corporate-owned asset as well as limit the installation of third-party applications. • Ensure that policies and procedures clearly state the importance of protecting sensitive and confidential information stored in the cloud. • To better address the difficulties in managing the endpoint risk, collaboration between IT operations and IT security should be improved to achieve a better allocation of resources and the creation of strategies to address risks associated with hacktivism, BYOD, third-party applications and cloud computing. 12/4/2012 Ponemon Institute: Private & Confidential Information 40
Caveats • There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys. • Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument. • Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are IT or IT security practitioners. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge bias caused by compensating subjects to complete this research within a holdout period. • Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide a truthful response. 12/4/2012 Ponemon Institute: Private & Confidential Information 41
Questions? Ponemon Institute www.ponemon.org Tel: 231.938.9900 Toll Free: 800.887.3118 Michigan HQ: 2308 US 31 N. Traverse City, MI 49686 USA research@ponemon.org

Recomendados

Privacy & Data Breach Management
Privacy & Data Breach Management Privacy & Data Breach Management
Privacy & Data Breach Management
Resilient Systems
 
CTO Survey 2013
CTO Survey 2013CTO Survey 2013
CTO Survey 2013
Spinverse Ltd
 
DCD Census Key Findings SEA 2011-2012
DCD Census Key Findings SEA 2011-2012DCD Census Key Findings SEA 2011-2012
DCD Census Key Findings SEA 2011-2012
Anixter
 
Find the best Recruiter for you
Find the best Recruiter for youFind the best Recruiter for you
Find the best Recruiter for you
Kelly Services
 
DCD Census Key findings Australia 2011-2012
DCD Census Key findings Australia 2011-2012DCD Census Key findings Australia 2011-2012
DCD Census Key findings Australia 2011-2012
Anixter
 
Dv investor prez
Dv investor prezDv investor prez
Dv investor prez
devryi
 
DCD Census Key Findings India 2011-2012
DCD Census Key Findings India 2011-2012DCD Census Key Findings India 2011-2012
DCD Census Key Findings India 2011-2012
Anixter
 
IANS NESCO Survey
IANS NESCO SurveyIANS NESCO Survey
IANS NESCO Survey
EnergySec
 

Recomendados

Privacy & Data Breach Management
Privacy & Data Breach Management Privacy & Data Breach Management
Privacy & Data Breach Management
Resilient Systems
 
CTO Survey 2013
CTO Survey 2013CTO Survey 2013
CTO Survey 2013
Spinverse Ltd
 
DCD Census Key Findings SEA 2011-2012
DCD Census Key Findings SEA 2011-2012DCD Census Key Findings SEA 2011-2012
DCD Census Key Findings SEA 2011-2012
Anixter
 
Find the best Recruiter for you
Find the best Recruiter for youFind the best Recruiter for you
Find the best Recruiter for you
Kelly Services
 
DCD Census Key findings Australia 2011-2012
DCD Census Key findings Australia 2011-2012DCD Census Key findings Australia 2011-2012
DCD Census Key findings Australia 2011-2012
Anixter
 
Dv investor prez
Dv investor prezDv investor prez
Dv investor prez
devryi
 
DCD Census Key Findings India 2011-2012
DCD Census Key Findings India 2011-2012DCD Census Key Findings India 2011-2012
DCD Census Key Findings India 2011-2012
Anixter
 
IANS NESCO Survey
IANS NESCO SurveyIANS NESCO Survey
IANS NESCO Survey
EnergySec
 
2013 Mobile Application Security Survey
2013 Mobile Application Security Survey2013 Mobile Application Security Survey
2013 Mobile Application Security Survey
Bee_Ware
 
Pet Clin Macpherson Presentation 1.10.07
Pet Clin Macpherson Presentation 1.10.07Pet Clin Macpherson Presentation 1.10.07
Pet Clin Macpherson Presentation 1.10.07
TMCPetVending
 
BaaS Extended
BaaS ExtendedBaaS Extended
BaaS Extended
Lemon Operations
 
Webcast 1Q12
Webcast 1Q12Webcast 1Q12
Webcast 1Q12
Petrobras
 
Windows Applications in the Cloud
Windows Applications in the CloudWindows Applications in the Cloud
Windows Applications in the Cloud
RightScale
 
Managing RightScale on RightScale
Managing RightScale on RightScaleManaging RightScale on RightScale
Managing RightScale on RightScale
RightScale
 
Cloud Orchestration with RightScale Cloud Workflow
Cloud Orchestration with RightScale Cloud WorkflowCloud Orchestration with RightScale Cloud Workflow
Cloud Orchestration with RightScale Cloud Workflow
RightScale
 
The Shifting State of Endpoint Risk: Key Strategies to Implement in 2012
The Shifting State of Endpoint Risk: Key Strategies to Implement in 2012The Shifting State of Endpoint Risk: Key Strategies to Implement in 2012
The Shifting State of Endpoint Risk: Key Strategies to Implement in 2012
Lumension
 
2009 Payroll Performance Study Demographics
2009 Payroll Performance Study Demographics2009 Payroll Performance Study Demographics
2009 Payroll Performance Study Demographics
fcheek
 
2013 cloud it metering survey results
2013 cloud it metering survey results 2013 cloud it metering survey results
2013 cloud it metering survey results
Valencell, Inc.
 
FERMA European Risk Management Benchmarking Survey 2012
FERMA European Risk Management Benchmarking Survey 2012FERMA European Risk Management Benchmarking Survey 2012
FERMA European Risk Management Benchmarking Survey 2012
FERMA
 
Enterprise Mobility in Russia 2012 - Survey findings - dec 2012
Enterprise Mobility in Russia 2012 - Survey findings - dec 2012Enterprise Mobility in Russia 2012 - Survey findings - dec 2012
Enterprise Mobility in Russia 2012 - Survey findings - dec 2012
Центр корпоративной мобильности АйТи
 
Symantec 2011 Threat Management Survey Global Results
Symantec 2011 Threat Management Survey Global ResultsSymantec 2011 Threat Management Survey Global Results
Symantec 2011 Threat Management Survey Global Results
Symantec
 
Highlights of 2011 SMB Social Business Study
Highlights of 2011 SMB Social Business Study Highlights of 2011 SMB Social Business Study
Highlights of 2011 SMB Social Business Study
SMB Group
 
Undergraduate Employment Report
Undergraduate Employment ReportUndergraduate Employment Report
Undergraduate Employment Report
smgmarcom
 
Symantec 2011 Information Retention and eDiscovery Survey Global Key Findings
Symantec 2011 Information Retention and eDiscovery Survey Global Key FindingsSymantec 2011 Information Retention and eDiscovery Survey Global Key Findings
Symantec 2011 Information Retention and eDiscovery Survey Global Key Findings
Symantec
 
Taking Services Procurement Beyond Contingent Workers: Opportunities And Chal...
Taking Services Procurement Beyond Contingent Workers: Opportunities And Chal...Taking Services Procurement Beyond Contingent Workers: Opportunities And Chal...
Taking Services Procurement Beyond Contingent Workers: Opportunities And Chal...
Beeline
 
About Quadric®
About Quadric®About Quadric®
About Quadric®
Michael Sherain
 
Marketing Analytics Effectiveness
Marketing Analytics Effectiveness Marketing Analytics Effectiveness
Marketing Analytics Effectiveness
IBM
 
Information securitysurveyreportnovninefinal
Information securitysurveyreportnovninefinalInformation securitysurveyreportnovninefinal
Information securitysurveyreportnovninefinal
Dilpreeta Vasudeva
 
Share Point Survey Results Fall 2011
Share Point Survey Results Fall 2011Share Point Survey Results Fall 2011
Share Point Survey Results Fall 2011
Derek E. Weeks
 
Hult MBA Class Profile 2011
Hult MBA Class Profile 2011Hult MBA Class Profile 2011
Hult MBA Class Profile 2011
Hult International Business School
 

Más contenido relacionado

Destacado

Pet Clin Macpherson Presentation 1.10.07
Pet Clin Macpherson Presentation 1.10.07Pet Clin Macpherson Presentation 1.10.07
Pet Clin Macpherson Presentation 1.10.07
TMCPetVending
 
Windows Applications in the Cloud
Windows Applications in the CloudWindows Applications in the Cloud
Windows Applications in the Cloud
RightScale
 
Managing RightScale on RightScale
Managing RightScale on RightScaleManaging RightScale on RightScale
Managing RightScale on RightScale
RightScale
 

Destacado (7)

2013 Mobile Application Security Survey
2013 Mobile Application Security Survey2013 Mobile Application Security Survey
2013 Mobile Application Security Survey
 
Pet Clin Macpherson Presentation 1.10.07
Pet Clin Macpherson Presentation 1.10.07Pet Clin Macpherson Presentation 1.10.07
Pet Clin Macpherson Presentation 1.10.07
 
BaaS Extended
BaaS ExtendedBaaS Extended
BaaS Extended
 
Webcast 1Q12
Webcast 1Q12Webcast 1Q12
Webcast 1Q12
 
Windows Applications in the Cloud
Windows Applications in the CloudWindows Applications in the Cloud
Windows Applications in the Cloud
 
Managing RightScale on RightScale
Managing RightScale on RightScaleManaging RightScale on RightScale
Managing RightScale on RightScale
 
Cloud Orchestration with RightScale Cloud Workflow
Cloud Orchestration with RightScale Cloud WorkflowCloud Orchestration with RightScale Cloud Workflow
Cloud Orchestration with RightScale Cloud Workflow
 

Similar a Greatest IT Security Risks of 2013: Annual State of the Endpoint Report

The Shifting State of Endpoint Risk: Key Strategies to Implement in 2012
The Shifting State of Endpoint Risk: Key Strategies to Implement in 2012The Shifting State of Endpoint Risk: Key Strategies to Implement in 2012
The Shifting State of Endpoint Risk: Key Strategies to Implement in 2012
Lumension
 
2013 cloud it metering survey results
2013 cloud it metering survey results 2013 cloud it metering survey results
2013 cloud it metering survey results
Valencell, Inc.
 
Symantec 2011 Threat Management Survey Global Results
Symantec 2011 Threat Management Survey Global ResultsSymantec 2011 Threat Management Survey Global Results
Symantec 2011 Threat Management Survey Global Results
Symantec
 
Undergraduate Employment Report
Undergraduate Employment ReportUndergraduate Employment Report
Undergraduate Employment Report
smgmarcom
 
Taking Services Procurement Beyond Contingent Workers: Opportunities And Chal...
Taking Services Procurement Beyond Contingent Workers: Opportunities And Chal...Taking Services Procurement Beyond Contingent Workers: Opportunities And Chal...
Taking Services Procurement Beyond Contingent Workers: Opportunities And Chal...
Beeline
 
Information securitysurveyreportnovninefinal
Information securitysurveyreportnovninefinalInformation securitysurveyreportnovninefinal
Information securitysurveyreportnovninefinal
Dilpreeta Vasudeva
 
Share Point Survey Results Fall 2011
Share Point Survey Results Fall 2011Share Point Survey Results Fall 2011
Share Point Survey Results Fall 2011
Derek E. Weeks
 
HIMSS slides: IT leaders show MU, ICD-10 progress but fear staff shortages
HIMSS slides: IT leaders show MU, ICD-10 progress but fear staff shortagesHIMSS slides: IT leaders show MU, ICD-10 progress but fear staff shortages
HIMSS slides: IT leaders show MU, ICD-10 progress but fear staff shortages
Trimed Media Group
 

Similar a Greatest IT Security Risks of 2013: Annual State of the Endpoint Report (20)

The Shifting State of Endpoint Risk: Key Strategies to Implement in 2012
The Shifting State of Endpoint Risk: Key Strategies to Implement in 2012The Shifting State of Endpoint Risk: Key Strategies to Implement in 2012
The Shifting State of Endpoint Risk: Key Strategies to Implement in 2012
 
2009 Payroll Performance Study Demographics
2009 Payroll Performance Study Demographics2009 Payroll Performance Study Demographics
2009 Payroll Performance Study Demographics
 
2013 cloud it metering survey results
2013 cloud it metering survey results 2013 cloud it metering survey results
2013 cloud it metering survey results
 
FERMA European Risk Management Benchmarking Survey 2012
FERMA European Risk Management Benchmarking Survey 2012FERMA European Risk Management Benchmarking Survey 2012
FERMA European Risk Management Benchmarking Survey 2012
 
Enterprise Mobility in Russia 2012 - Survey findings - dec 2012
Enterprise Mobility in Russia 2012 - Survey findings - dec 2012Enterprise Mobility in Russia 2012 - Survey findings - dec 2012
Enterprise Mobility in Russia 2012 - Survey findings - dec 2012
 
Symantec 2011 Threat Management Survey Global Results
Symantec 2011 Threat Management Survey Global ResultsSymantec 2011 Threat Management Survey Global Results
Symantec 2011 Threat Management Survey Global Results
 
Highlights of 2011 SMB Social Business Study
Highlights of 2011 SMB Social Business Study Highlights of 2011 SMB Social Business Study
Highlights of 2011 SMB Social Business Study
 
Undergraduate Employment Report
Undergraduate Employment ReportUndergraduate Employment Report
Undergraduate Employment Report
 
Symantec 2011 Information Retention and eDiscovery Survey Global Key Findings
Symantec 2011 Information Retention and eDiscovery Survey Global Key FindingsSymantec 2011 Information Retention and eDiscovery Survey Global Key Findings
Symantec 2011 Information Retention and eDiscovery Survey Global Key Findings
 
Taking Services Procurement Beyond Contingent Workers: Opportunities And Chal...
Taking Services Procurement Beyond Contingent Workers: Opportunities And Chal...Taking Services Procurement Beyond Contingent Workers: Opportunities And Chal...
Taking Services Procurement Beyond Contingent Workers: Opportunities And Chal...
 
About Quadric®
About Quadric®About Quadric®
About Quadric®
 
Marketing Analytics Effectiveness
Marketing Analytics Effectiveness Marketing Analytics Effectiveness
Marketing Analytics Effectiveness
 
Information securitysurveyreportnovninefinal
Information securitysurveyreportnovninefinalInformation securitysurveyreportnovninefinal
Information securitysurveyreportnovninefinal
 
Share Point Survey Results Fall 2011
Share Point Survey Results Fall 2011Share Point Survey Results Fall 2011
Share Point Survey Results Fall 2011
 
Hult MBA Class Profile 2011
Hult MBA Class Profile 2011Hult MBA Class Profile 2011
Hult MBA Class Profile 2011
 
HIMSS slides: IT leaders show MU, ICD-10 progress but fear staff shortages
HIMSS slides: IT leaders show MU, ICD-10 progress but fear staff shortagesHIMSS slides: IT leaders show MU, ICD-10 progress but fear staff shortages
HIMSS slides: IT leaders show MU, ICD-10 progress but fear staff shortages
 
2012 Connell & Partners Fall Pulse Survey Participant Report
2012 Connell & Partners Fall Pulse Survey Participant Report2012 Connell & Partners Fall Pulse Survey Participant Report
2012 Connell & Partners Fall Pulse Survey Participant Report
 
2012 SMB Disaster Preparedness Survey Global Results May 2012
2012 SMB Disaster Preparedness Survey Global Results May 20122012 SMB Disaster Preparedness Survey Global Results May 2012
2012 SMB Disaster Preparedness Survey Global Results May 2012
 
US Market Study
US Market StudyUS Market Study
US Market Study
 
Lloyds Risk Index 2011
Lloyds Risk Index 2011Lloyds Risk Index 2011
Lloyds Risk Index 2011
 

Más de Lumension

Using SCCM 2012 r2 to Patch Linux, UNIX and Macs
Using SCCM 2012 r2 to Patch Linux, UNIX and MacsUsing SCCM 2012 r2 to Patch Linux, UNIX and Macs
Using SCCM 2012 r2 to Patch Linux, UNIX and Macs
Lumension
 
Top 10 Things to Secure on iOS and Android to Protect Corporate Information
Top 10 Things to Secure on iOS and Android to Protect Corporate InformationTop 10 Things to Secure on iOS and Android to Protect Corporate Information
Top 10 Things to Secure on iOS and Android to Protect Corporate Information
Lumension
 
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
Lumension
 
Careto: Unmasking a New Level in APT-ware
Careto: Unmasking a New Level in APT-ware Careto: Unmasking a New Level in APT-ware
Careto: Unmasking a New Level in APT-ware
Lumension
 
Securing Your Point of Sale Systems: Stopping Malware and Data Theft
Securing Your Point of Sale Systems: Stopping Malware and Data TheftSecuring Your Point of Sale Systems: Stopping Malware and Data Theft
Securing Your Point of Sale Systems: Stopping Malware and Data Theft
Lumension
 
2014 Security Trends: SIEM, Endpoint Security, Data Loss, Mobile Devices and ...
2014 Security Trends: SIEM, Endpoint Security, Data Loss, Mobile Devices and ...2014 Security Trends: SIEM, Endpoint Security, Data Loss, Mobile Devices and ...
2014 Security Trends: SIEM, Endpoint Security, Data Loss, Mobile Devices and ...
Lumension
 
2014 Data Protection Maturity Survey: Results and Analysis
2014 Data Protection Maturity Survey: Results and Analysis2014 Data Protection Maturity Survey: Results and Analysis
2014 Data Protection Maturity Survey: Results and Analysis
Lumension
 
Greatest It Security Risks of 2014: 5th Annual State of Endpoint Risk
Greatest It Security Risks of 2014: 5th Annual State of Endpoint RiskGreatest It Security Risks of 2014: 5th Annual State of Endpoint Risk
Greatest It Security Risks of 2014: 5th Annual State of Endpoint Risk
Lumension
 
Windows XP is Coming to an End: How to Stay Secure Before You Migrate
Windows XP is Coming to an End: How to Stay Secure Before You MigrateWindows XP is Coming to an End: How to Stay Secure Before You Migrate
Windows XP is Coming to an End: How to Stay Secure Before You Migrate
Lumension
 
Adobe Hacked Again: What Does It Mean for You?
Adobe Hacked Again: What Does It Mean for You? Adobe Hacked Again: What Does It Mean for You?
Adobe Hacked Again: What Does It Mean for You?
Lumension
 
Real World Defense Strategies for Targeted Endpoint Threats
Real World Defense Strategies for Targeted Endpoint Threats Real World Defense Strategies for Targeted Endpoint Threats
Real World Defense Strategies for Targeted Endpoint Threats
Lumension
 
APTs: The State of Server Side Risk and Steps to Minimize Risk
APTs: The State of Server Side Risk and Steps to Minimize RiskAPTs: The State of Server Side Risk and Steps to Minimize Risk
APTs: The State of Server Side Risk and Steps to Minimize Risk
Lumension
 
2014 Ultimate Buyers Guide to Endpoint Security Solutions
2014 Ultimate Buyers Guide to Endpoint Security Solutions2014 Ultimate Buyers Guide to Endpoint Security Solutions
2014 Ultimate Buyers Guide to Endpoint Security Solutions
Lumension
 
Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?
Lumension
 
Java Insecurity: How to Deal with the Constant Vulnerabilities
Java Insecurity: How to Deal with the Constant VulnerabilitiesJava Insecurity: How to Deal with the Constant Vulnerabilities
Java Insecurity: How to Deal with the Constant Vulnerabilities
Lumension
 
3 Executive Strategies to Reduce Your IT Risk
3 Executive Strategies to Reduce Your IT Risk3 Executive Strategies to Reduce Your IT Risk
3 Executive Strategies to Reduce Your IT Risk
Lumension
 

Más de Lumension (20)

Using SCCM 2012 r2 to Patch Linux, UNIX and Macs
Using SCCM 2012 r2 to Patch Linux, UNIX and MacsUsing SCCM 2012 r2 to Patch Linux, UNIX and Macs
Using SCCM 2012 r2 to Patch Linux, UNIX and Macs
 
2015 Endpoint and Mobile Security Buyers Guide
2015 Endpoint and Mobile Security Buyers Guide2015 Endpoint and Mobile Security Buyers Guide
2015 Endpoint and Mobile Security Buyers Guide
 
Top 10 Things to Secure on iOS and Android to Protect Corporate Information
Top 10 Things to Secure on iOS and Android to Protect Corporate InformationTop 10 Things to Secure on iOS and Android to Protect Corporate Information
Top 10 Things to Secure on iOS and Android to Protect Corporate Information
 
2014 BYOD and Mobile Security Survey Preliminary Results
2014 BYOD and Mobile Security Survey Preliminary Results2014 BYOD and Mobile Security Survey Preliminary Results
2014 BYOD and Mobile Security Survey Preliminary Results
 
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
 
Careto: Unmasking a New Level in APT-ware
Careto: Unmasking a New Level in APT-ware Careto: Unmasking a New Level in APT-ware
Careto: Unmasking a New Level in APT-ware
 
Securing Your Point of Sale Systems: Stopping Malware and Data Theft
Securing Your Point of Sale Systems: Stopping Malware and Data TheftSecuring Your Point of Sale Systems: Stopping Malware and Data Theft
Securing Your Point of Sale Systems: Stopping Malware and Data Theft
 
2014 Security Trends: SIEM, Endpoint Security, Data Loss, Mobile Devices and ...
2014 Security Trends: SIEM, Endpoint Security, Data Loss, Mobile Devices and ...2014 Security Trends: SIEM, Endpoint Security, Data Loss, Mobile Devices and ...
2014 Security Trends: SIEM, Endpoint Security, Data Loss, Mobile Devices and ...
 
2014 Data Protection Maturity Survey: Results and Analysis
2014 Data Protection Maturity Survey: Results and Analysis2014 Data Protection Maturity Survey: Results and Analysis
2014 Data Protection Maturity Survey: Results and Analysis
 
Greatest It Security Risks of 2014: 5th Annual State of Endpoint Risk
Greatest It Security Risks of 2014: 5th Annual State of Endpoint RiskGreatest It Security Risks of 2014: 5th Annual State of Endpoint Risk
Greatest It Security Risks of 2014: 5th Annual State of Endpoint Risk
 
Windows XP is Coming to an End: How to Stay Secure Before You Migrate
Windows XP is Coming to an End: How to Stay Secure Before You MigrateWindows XP is Coming to an End: How to Stay Secure Before You Migrate
Windows XP is Coming to an End: How to Stay Secure Before You Migrate
 
Adobe Hacked Again: What Does It Mean for You?
Adobe Hacked Again: What Does It Mean for You? Adobe Hacked Again: What Does It Mean for You?
Adobe Hacked Again: What Does It Mean for You?
 
Real World Defense Strategies for Targeted Endpoint Threats
Real World Defense Strategies for Targeted Endpoint Threats Real World Defense Strategies for Targeted Endpoint Threats
Real World Defense Strategies for Targeted Endpoint Threats
 
APTs: The State of Server Side Risk and Steps to Minimize Risk
APTs: The State of Server Side Risk and Steps to Minimize RiskAPTs: The State of Server Side Risk and Steps to Minimize Risk
APTs: The State of Server Side Risk and Steps to Minimize Risk
 
2014 Ultimate Buyers Guide to Endpoint Security Solutions
2014 Ultimate Buyers Guide to Endpoint Security Solutions2014 Ultimate Buyers Guide to Endpoint Security Solutions
2014 Ultimate Buyers Guide to Endpoint Security Solutions
 
Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?
 
Java Insecurity: How to Deal with the Constant Vulnerabilities
Java Insecurity: How to Deal with the Constant VulnerabilitiesJava Insecurity: How to Deal with the Constant Vulnerabilities
Java Insecurity: How to Deal with the Constant Vulnerabilities
 
BYOD & Mobile Security: How to Respond to the Security Risks
BYOD & Mobile Security: How to Respond to the Security RisksBYOD & Mobile Security: How to Respond to the Security Risks
BYOD & Mobile Security: How to Respond to the Security Risks
 
3 Executive Strategies to Reduce Your IT Risk
3 Executive Strategies to Reduce Your IT Risk3 Executive Strategies to Reduce Your IT Risk
3 Executive Strategies to Reduce Your IT Risk
 
The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...
The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...
The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...
 

Greatest IT Security Risks of 2013: Annual State of the Endpoint Report

  • 1. 2013 State of the Endpoint Presentation by Dr. Larry Ponemon December 5, 2012
  • 2. About Ponemon Institute • Ponemon Institute conducts independent research on cyber security, data protection and privacy issues. • Since our founding 11+ years ago our mission has remained constant, which is to enable organizations in both the private and public sectors to have a clearer understanding of the practices, enabling technologies and potential threats that will affect the security, reliability and integrity of information assets and IT systems. • Ponemon Institute research informs organizations on how to improve upon their data protection initiatives and enhance their brand and reputation as a trusted enterprise. • In addition to research, Ponemon Institute offers independent assessment and strategic advisory services on privacy and data protection issues. The Institute also conducts workshops and training programs. • The Institute is frequently engaged by leading companies to assess their privacy and data protection activities in accordance with generally accepted standards and practices on a global basis. • The Institute also performs customized benchmark studies to help organizations identify inherent risk areas and gaps that might otherwise trigger regulatory action. 12/4/2012 Ponemon Institute: Private & Confidential Information 2
  • 3. Introduction • Since 2010, Ponemon Institute and Lumension have tracked endpoint risk in organizations, the resources to address the risk and the technologies deployed to manage threats. • This study reveals that the state of endpoint risk is not improving. One of the top concerns is the proliferation of personally owned mobile devices in the workplace such as smart phones and iPads. • Malware attacks are increasing and are having a significant impact on IT operating expenses. Advanced persistent threats and hactivism pose the biggest headache to IT security pros. 12/4/2012 Ponemon Institute: Private & Confidential Information 3
  • 4. Methods A random sampling frame of 17,744 IT and IT security practitioners located in all regions of the United States were selected as participants to this survey. As shown below, 923 respondents completed the survey. Screening removed 178 surveys and an additional 74 surveys that failed reliability checks were removed. The final sample was 671 surveys (or a 3.8 percent response rate). Sample response FY 2012 FY 2011 FY 2010 Total sampling frame 17,744 18,988 11,890 Total returns 923 911 782 Rejected surveys 74 80 65 Screened surveys 178 143 153 Final sample 671 688 564 Response Rate 3.8% 3.6% 4.7% 12/4/2012 Ponemon Institute: Private & Confidential Information 4
  • 5. Distribution of respondents according to primary industry classification 2% 2% 2% 3% Financial Services 3% 20% Health & pharmaceuticals 3% Public Sector 4% Retailing Services 5% Technology & software Hospitality Industrial 5% 12% Education & research Energy 5% Consumer products Communications Entertainment & media 7% 10% Agriculture Defense 8% 9% Transportation 12/4/2012 Ponemon Institute: Private & Confidential Information 5
  • 6. What organizational level best describes your current position? 3% 3% 7% 19% Director Manager Supervisor Technician 23% Staff Contractor 26% Other 19% 12/4/2012 Ponemon Institute: Private & Confidential Information 6
  • 7. The primary person you or the IT security leader reports to within the organization 3% 1% 4% 6% Chief Information Officer 9% Chief Information Security Officer Chief Risk Officer Compliance Officer 54% Chief Security Officer 23% General Counsel Chief Financial Officer 12/4/2012 Ponemon Institute: Private & Confidential Information 7
  • 8. Worldwide headcount 4% 7% 19% 16% Less than 500 people 500 to 1,000 people 1,001 to 5,000 people 5,001 to 25,000 people 25,001 to 75,000 people 21% More than 75,000 people 33% 12/4/2012 Ponemon Institute: Private & Confidential Information 8
  • 10. The endpoint threat landscape
  • 11. IT security risks considered to be on the rise Three choices permitted in 2010 and 5 choices permitted in 2011 and 2012 73% Mobile devices 48% 9% 67% Across 3rd party applications 56% 45% 53% Mobile/remote employees 49% 44% 45% Our PC desktop/laptop 41% 44% 44% Negligent insider risk * 43% 41% Cloud computing infrastructure & providers 43% 18% 39% Removable media and/or media (CDs, DVDs) 42% 10% 0% 10% 20% 30% 40% 50% 60% 70% 80% * This choice was not available for all fiscal years FY 2012 FY 2011 FY 2010 12/4/2012 Ponemon Institute: Private & Confidential Information 11
  • 12. IT security risks believed to be decreasing or staying the same Three choices permitted in 2010 and 5 choices permitted in 2011 and 2012 36% Lack of organizational alignment * 39% 25% Lack of system connectivity/visibility * 29% 19% Virtual computing environments 28% 20% 19% Our server environment 29% 32% 15% Malicious insider risk * 16% 10% Network infrastructure environment 14% 11% 8% Within operating systems 10% 11% 6% Our data centers 12% 14% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% * This choice was not available for all fiscal years FY 2012 FY 2011 FY 2010 12/4/2012 Ponemon Institute: Private & Confidential Information 12
  • 13. Is your IT network more secure now than it was a year ago? 50% 46% 45% 41% 40% 36% 36% 35% 33% 34% 30% 28% 25% 25% 21% 20% 15% 10% 5% 0% FY 2012 FY 2011 FY 2010 Yes No Unsure 12/4/2012 Ponemon Institute: Private & Confidential Information 13
  • 14. IT security risks of most concern since 2010 More than three choices permitted in 2010 and 3 choices permitted in 2011 and 2012 47% Increased use of mobile platforms * 36% 36% Advanced persistent threats 24% 24% 22% Intrusions and data loss within virtual 23% environments 13% 0% 10% 20% 30% 40% 50% * This choice was not available for all fiscal years FY 2012 FY 2011 FY 2010 12/4/2012 Ponemon Institute: Private & Confidential Information 14
  • 15. IT security risks that have declined or stayed the same More than three choices permitted in 2010 and 3 choices permitted in 2011 and 2012 15% Negligent insider risk 28% 50% 30% Growing volume of malware 29% 61% 28% Use of insecure cloud computing resources 31% 49% 30% Insufficient budget resources 32% 47% 31% Increasingly sophisticated & targeted cyber attackers 26% 40% 12% Malicious insider risk 11% 19% 6% Inability to measure policy compliance * 12% Insufficient collaboration among IT & business operations 13% 16% * Lack of integration between endpoint operations & 18% 17% security technologies 20% 12% Lack of an organizational wide security strategy * 13% 0% 20% 40% 60% 80% * This choice was not available for all fiscal years FY 2012 FY 2011 FY 2010* 12/4/2012 Ponemon Institute: Private & Confidential Information 15
  • 16. Mobility is an IT security headache
  • 17. Mobile devices pose a significant security risk Strongly agree and agree response combined 90% 80% 80% 74% 70% 60% 50% 40% 30% 20% 10% 0% FY 2012 FY 2011 12/4/2012 Ponemon Institute: Private & Confidential Information 17
  • 18. Technologies expected to increase in the next 12 to 24 months Substantial increase and increase response combined 75% Mobile devices / smart phones 70% 63% Use of 3rd party cloud computing infrastructure 56% 61% Virtualized environments 52% 53% Use of internal cloud computing infrastructure 35% Security event and incident management * 45% Social media / Web 2.0 * 72% 0% 10% 20% 30% 40% 50% 60% 70% 80% This choice was not available for FY 2012 FY 2012 FY 2011 12/4/2012 Ponemon Institute: Private & Confidential Information 18
  • 19. Important mobile device management features Three choices permitted 70% Provisioning and access policy management 62% 65% Virus and malware detection or prevention 55% 44% Encryption and other data loss technologies 49% 43% Asset tracking 47% 39% Anti-theft features 42% 38% Remote wipe capability 41% 1% Other 3% 0% 10% 20% 30% 40% 50% 60% 70% 80% FY 2012 FY 2011 12/4/2012 Ponemon Institute: Private & Confidential Information 19
  • 20. Personal mobile device use in the workplace 40% 35% 34% 30% 29% 28% 25% 23% 20% 20% 18% 16% 15% 13% 10% 7% 7% 5% 3% 2% 0% None 1 to 25% 26 to 50% 51 to 75% More than 75% Cannot determine FY 2012 FY 2011 12/4/2012 Ponemon Institute: Private & Confidential Information 20
  • 21. Security policy for employee owned devices 50% 46% 45% 40% 39% 35% 30% 29% 25% 21% 21% 20% 19% 15% 13% 12% 10% 5% 0% No No, but we plan to Yes, we secure them Yes, we use stricter similar to corporate devices standards than we do for corporate devices FY 2012 FY 2011 12/4/2012 Ponemon Institute: Private & Confidential Information 21
  • 22. Most vulnerable third-party applications Three choices permitted 55% Google Docs 47% 46% 55% Adobe 50% 54% 44% Microsoft OS/applications 49% 57% 40% General 3rd party apps outside of Microsoft 46% 58% 30% Apple/Mac OS 24% 15% 28% Apple apps 20% 14% 18% VMware 20% 17% 15% Oracle applications 22% 10% 11% WinZip 16% 19% 3% Mozilla Firefox 6% 2% 0% Other 1% 4% 0% 10% 20% 30% 40% 50% 60% 70% FY 2012 FY 2011 FY 2010 12/4/2012 Ponemon Institute: Private & Confidential Information 22
  • 24. Monthly malware attempts or incidents 50% 45% 43% 40% 35% 35% 35% 32% 30% 27% 25% 23% 21% 20% 20% 15% 13% 11% 11% 10% 9% 9% 6% 5% 2% 3% 0% Less than 5 5 to 10 11 to 25 26 to 50 More than 50 Not sure FY 2012 FY 2011 FY 2010 12/4/2012 Ponemon Institute: Private & Confidential Information 24
  • 25. Changes in malware incidents over the past year 40% 37% 35% 31% 30% 26% 25% 25% 25% 22% 22% 21% 20% 18% 17% 15% 15% 14% 10% 9% 8% 8% 5% 0% Yes, major increase Yes, but only slight increase No, they stayed the same No, they have decreased Not sure FY 2012 FY 2011 FY 2010 12/4/2012 Ponemon Institute: Private & Confidential Information 25
  • 26. Most frequent and annoying incidents More than one choice permitted General malware 86% 2% Web-borne malware attacks 79% 3% Rootkits 65% 4% Botnet attacks 55% 8% Advanced persistent threats / Targeted attacks* 54% 25% Spyware 45% 0% Clickjacking 43% 7% Hacktivism 41% 15% Zero day attacks 31% 13% SQL injection 29% 12% Exploit existing software vulnerability < 3 months 28% 5% Exploitexisting software vulnerability > 3 months 26% 6% Other 5% 0% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% *Termed Targeted Attacks in the 2011 survey Which incidents are you seeing frequently in your organization’s IT networks? Which one incident represents your biggest headache? 12/4/2012 Ponemon Institute: Private & Confidential Information 26
  • 27. IT operating costs increase due to malware 50% 45% 43% 41% 40% 40% 35% 32% 30% 28% 29% 25% 21% 22% 20% 15% 14% 14% 10% 8% 8% 5% 0% Very significant Significant Some significance None FY 2012 FY 2011 FY 2010 12/4/2012 Ponemon Institute: Private & Confidential Information 27
  • 28. Barriers to achieving optimal security
  • 29. IT security budget changes from last year 60% 56% 50% 48% 40% 29% 30% 25% 20% 12% 11% 10% 9% 10% 0% Increase Stay the same Decrease Unsure FY 2012 FY 2011 12/4/2012 Ponemon Institute: Private & Confidential Information 29
  • 30. Collaboration between IT operations and IT security 60% 50% 48% 46% 41% 40% 40% 30% 20% 13% 12% 10% 0% Collaboration is excellent Collaboration is adequate, but can Collaboration is poor or non-existent be improved FY 2012 FY 2011 12/4/2012 Ponemon Institute: Private & Confidential Information 30
  • 31. Admin privileges allowed 45% 41% 40% 40% 35% 30% 25% 20% 19% 15% 10% 5% 0% No Yes, to part of the user environment Yes, to the entire user environment 12/4/2012 Ponemon Institute: Private & Confidential Information 31
  • 32. Greatest challenges in meeting federal compliance regulations Two choices permitted Lack of resources 75% Increasing audit burden 73% Explaining issues and requirements to management 15% Inconsistent reporting 11% Manual data collection 9% None of the above 12% 0% 10% 20% 30% 40% 50% 60% 70% 80% 12/4/2012 Ponemon Institute: Private & Confidential Information 32
  • 33. Impact of external compliance requirements on IT security function Two choices permitted More personnel and funding for meeting compliance 56% initiatives More funding for purchasing security technologies 53% Better understanding of organizational IT risk 24% Improved control procedures 20% Requirements to update or create new policies 12% Requirements to update or create new training 10% procedures Formal audits to ensure policy enforcement 9% None of the above 13% 0% 10% 20% 30% 40% 50% 60% 12/4/2012 Ponemon Institute: Private & Confidential Information 33
  • 34. Current and future technologies
  • 35. Technologies in use or to be invested in over the next 12 months More than one choice permitted 60% 55% 55% 49% 50% 47% 45% 42% 40% 38% 34% 30% 20% 10% 0% Application control firewall Application Endpoint management and SEIM control/whitelisting security suite Current use of technology Expected increase in use of technology 12/4/2012 Ponemon Institute: Private & Confidential Information 35
  • 36. Most effective tools for reducing IT risk Fiscal years 2012 and 2011 limited to 5 choices 46% Privilege management * 45% Vulnerability assessment * 55% 70% 40% Security event and incident management * 43% 40% Endpoint management & security suites/platforms 41% 48% 39% Endpoint firewall 43% FY 2012 59% 37% FY 2011 Device control 44% 57% FY 2010 37% Application control firewall 42% 52% 36% Application control/whitelisting 37% 44% 33% Anti-virus & anti-malware 40% 57% 0% 10% 20% 30% 40% 50% 60% 70% 80% * This choice not available for all fiscal years 12/4/2012 Ponemon Institute: Private & Confidential Information 36
  • 37. Reasons for migrating to Windows 8 Two choices permitted Efficiency and user productivity gains 43% Improvements in security 38% Improvements in speed and performance 37% Stability of the operating system 33% Interoperability issues with other systems 31% Improvements in vendor support 19% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% 12/4/2012 Ponemon Institute: Private & Confidential Information 37
  • 38. Cloud computing and endpoint security
  • 39. The existence and enforcement of cloud security policies 50% 45% 45% 40% 41% 40% 36% 35% 30% 25% 24% 20% 15% 14% 10% 5% 0% Yes No Unsure Does your organization have a centralized cloud security policy? Do you enforce employees’ use of private clouds? 12/4/2012 Ponemon Institute: Private & Confidential Information 39
  • 40. Conclusion & Recommendations • Create acceptable use policies for personally owned devices in the workplace. • Conduct risk assessments and consider the use of an integrated endpoint security suite that includes vulnerability assessment, device control, anti- virus and anti-malware. • Establish governance practices for privileged users at the device level to define acceptable use of mobile, BYOD and corporate-owned asset as well as limit the installation of third-party applications. • Ensure that policies and procedures clearly state the importance of protecting sensitive and confidential information stored in the cloud. • To better address the difficulties in managing the endpoint risk, collaboration between IT operations and IT security should be improved to achieve a better allocation of resources and the creation of strategies to address risks associated with hacktivism, BYOD, third-party applications and cloud computing. 12/4/2012 Ponemon Institute: Private & Confidential Information 40
  • 41. Caveats • There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys. • Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument. • Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are IT or IT security practitioners. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge bias caused by compensating subjects to complete this research within a holdout period. • Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide a truthful response. 12/4/2012 Ponemon Institute: Private & Confidential Information 41
  • 42. Questions? Ponemon Institute www.ponemon.org Tel: 231.938.9900 Toll Free: 800.887.3118 Michigan HQ: 2308 US 31 N. Traverse City, MI 49686 USA research@ponemon.org